Freedom to Hack

(1)

TU Law Digital Commons

Articles, Chapters in Books and Other Contributions to Scholarly Works

2019

Freedom to Hack

Ido Kilovaty

Follow this and additional works at:https://digitalcommons.law.utulsa.edu/fac_pub Part of theComputer Law Commons

This Article is brought to you for free and open access by TU Law Digital Commons. It has been accepted for inclusion in Articles, Chapters in Books and Other Contributions to Scholarly Works by an authorized administrator of TU Law Digital Commons. For more information, please contact

[email protected].

Recommended Citation

(2)

DRAFT—DO NOT CITE 4/26/2018

F

REEDOM TO

H

ACK

Ido Kilovaty1

Abstract

The proliferation of Internet-connected smart devices (the “Internet of Things”) has become a major threat to privacy, user security, Internet security, and even national security. These threats are manifestations of externalities primarily resulting from a market failure in the Internet of Things industry, in which vendors do not have an incentive to implement reasonable security in the software embedded in devices they produce, thus creating cheap and unsecure devices. This Article argues that law and policy have a central role to play in making this digital ecosystem more secure – not only through direct regulation of this industry, but primarily through allowing individual security researchers to hack for security – or “ethical hacking.” At present, laws that prohibit hacking, such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, are adopting a strict liability approach to hacking, which criminalizes almost any form of hacking, regardless of motivation or potential benefits. This Article rejects this outdated approach in the wake of ubiquitous cyber-attacks, imperfect software, and the emerging Internet of Things ecosystem.

This Article argues that law and regulatory agencies should accommodate hacking for security purposes to allow security researchers to discover possible vulnerabilities while shielding them from copyright infringement or criminal liabilities. While security research into software and hardware is desirable, the law by and large restricts such research. This results in a reality of highly unsecure Internet-of-Things devices and could potentially lead to serious harms to security and privacy. Such a legal accommodation should be supported by other legal adaptations, mainly involving regulatory oversight and enforcement, consistent rules for

1_{The author is a Cyber Fellow at the Center for Global Legal Challenges and a}

Resident Fellow at the Information Society Project, Yale Law School. I wish to thank The Center for Cyber Law & Policy at the University of Haifa for its generous support, which made this project possible. I would also like to thank Rosa Brooks, Oona Hathaway, Scott Shapiro, Robin West, Taisu Zhang, Molly Brady, Rebecca Crootof, Claudia Haupt, the ISP fellows’ workshop, Data & Society fellows, and the Georgetown Law fellows’ workshop. This article is forthcoming in the OHIO STATE LAW JOURNAL in 2019.

(3)

vulnerability disclosure, and clear distinctions between ethical and malicious hackers.

(4)

3

Everyday devices and appliances are becoming more sophisticated, computerized, and software-backed. Cars, thermostats, door locks, smart watches, and even toasters are now powered by code and connected to the Internet, which offers a variety of online features that allow users to remotely monitor and control their devices. These objects are collectively referred to as the “Internet of Things” (IoT) to denote that Internet is no longer exclusively a platform for people to communicate with each other; it is now also a network for “things” to communicate amongst themselves and at times to collect and transmit user data to corporations and state authorities.2

The proliferation of IoT devices in personal, business, and public environments is part of a technological shift from hardware to software.3 Physical objects are being supplemented, and even replaced, by software.4 By 2020, it is expected that IoT will reach as many as 20 billion connected devices, compared to 8 billion today,5 with other estimates extending to as much as 50 billion devices.6 The future worth of the IoT industry is also estimated in the hundreds of billions of dollars should its trajectory remain as projected.7 This shift is preceded by a phenomenon of embedding processors into everyday “things.” In the past, this would have been immensely expensive and inefficient, whereas today, microprocessors are widely available and affordable, and Internet

2_{See Bruce Schneier, Security and the Internet of Things, S}_{CHNEIER ON}_S_ECURITY

(Feb. 1, 2017)

https://www.schneier.com/blog/archives/2017/02/security_and_th.html (arguing that data collected about us and the things we do is available to both corporations and governments).

3_{Paul Ohm & Blake Reid, Regulating Software When Everything Has Software,}

GEO.WASH.L.REV. 1672, 1673 (2016).

4_Id.

5_{See Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31}

Percent From 2016, GARTNER (Feb. 7, 2017)

http://www.gartner.com/newsroom/id/3598917.

6_I_{NTERNET OF}_T_HINGS_–_P_RIVACY_&_S_{ECURITY IN A}_C_ONNECTED_W_ORLD_,_FTC

STAFF REPORT i (Jan. 2015).

7_{Swaroop Poudel, Internet of Things: Underlying Technologies, Interoperability,}

(6)

5

speeds are constantly increasing, meaning that it is easier to manufacture “smart” objects that operate smoothly.8

Software, however, is not the only emerging technological feature in everyday objects. The uniqueness of IoT is its Internet connectivity, which makes it part of the global network grid, with all the pertaining conveniences and dangers.9 The IoT trend will most likely continue to grow and pose serious challenges in the future, both legally and technically. Some argue that the IoT development may signal “the end of ownership,”10_{since copyright}

may stifle any modification to the software of these devices, but copyright law is also in a way a form of information censorship.11

However, I argue that unless a broad freedom to hack these devices for security purposes is recognized, at least until regulatory agencies catch up, IoT technology could also be the end of security

8_{See B}_ROADBAND_C_{OMMISSION FOR}_D_IGITAL_D_EVELOPMENT_, _B_ROADBAND

DRIVES THE INTERNET OF THINGS,

http://www.broadbandcommission.org/Documents/Media%20Corner%20Files% 20and%20pdfs/Broadband%20drives%20the%20Internet%20of%20Things.pdf (“Broadband represents the vital final piece of the puzzle. The need for always-on bandwidth combined with potentially huge numbers of networked objects – some estimate many billion individually connected devices – imply an immense data throughput on networks”). See also LOPEZ RESEARCH,AN INTRODUCTION TO THE INTERNET OF THINGS (IOT) 2 (Nov. 2013), available at

http://www.cisco.com/c/dam/en_us/solutions/trends/iot/introduction_to_IoT_no vember.pdf (identifying the many features of today’s tech world allowing the proliferation of IoT: IPv6, battery life, decreased cost of wireless networks, and broadband speeds).

9_{See Maria Farrell, The Internet of Things – Who Wins, Who Loses? G}_UARDIAN

(Aug. 14, 2015), https://www.theguardian.com/technology/2015/aug/14/internet-of-things-winners-and-losers-privacy-autonomy-capitalism [“With its insecure devices with multiple points of data access, user applications that routinely exfiltrate our sensor data, activity logs and personal contacts, and a Sisyphean uphill struggle required to exert any control over who knows what about us, the Internet of things does more than create whole new cyber-security attack surfaces. It is so riddled with metastasising points of vulnerability that you begin to sense that these are not bugs, but features.”]

10_{See Pamela Samuelson, Freedom to Tinker, 17 T}_HEORETICAL_I_NQ_._{L. 563, 589}

(2016) (quoting AARON PERZANOWSKI & JASON SCHULTZ, THE END OF

OWNERSHIP (2016)).

11_{See Susan Brenner, Complicit Publication: When Should the Dissemination of}

(7)

and privacy, broadly speaking.12_{This is particularly true considering}

that the complexities of IoT software will necessarily mean tradeoffs in terms of security, and vendors creating complex IoT software will have to test it for every possible attack or compromise, which is essentially impossible.13 Even if it were possible, experts argue that software engineers cannot predict future methods of attack,14 and software testing would also not solve the social engineering threat that targets the unwitting cooperation of users,15_{which involves}

“opening an infected file, clicking on a malicious hyperlink, sending personal information to a phishing Web site, or manually adjusting security settings.”16_{However, it is still believed that the vast}

majority of security breaches are caused by flaws in software.17 While embedding access to the global network within ordinary objects offers many advantages – it makes devices more dynamic, customizable, user-friendly (to an extent), and, generally, smarter – it also poses a series of security challenges that, if they remain unaddressed, may represent actual threats to the “digital order” in the form of rampant security breaches and privacy violations.

The major problem with today’s unsecure IoT environment is that it is largely a result of a market failure. The market failure manifests itself in multiple ways. First, the industry is not legally bound by any particular guidelines on security and privacy; a sizable number of devices are therefore unsecure, offering an opportunity for criminals and other exploiters to commit malicious cyber-attacks against innocent users. This could even go further; IoT can also be used as a proxy for larger attacks against critical infrastructure,

12_{See Samuelson, supra note 10, at 589.}

13_{Trevor A. Thompson, Terrorizing the Technological Neighborhood Watch: The}

Alienation and Deterrence of the “White Hats” Under the CFAA, 36 FLA.ST.U. L.REV. 537, 543 (2009).

14_{Capers Jones, Software Defect-Removal Efficiency, 29 C}_OMPUTER_{94, 94–95}

(1996).

15_{See Thompson, supra note 13, at 545 (“Even when software performs as}

intended, software cannot fully protect users from themselves.”) See also

Immunizing the Internet, Or: How I Learned to Stop Worrying and Love the Worm, 119(8) HARV.L.REV. 2442, 2449 (2006) (“[I]t is much harder to ‘patch’ a person than a computer.”).

16_{See Thompson, supra note 13, at 547.}

17_{See Derek Bambauer & Oliver Day, The Hacker’s Aegis, 60 E}_M_._L._R_EV_{. 1051,}

1060 (“Gartner calculates that 75% of security breaches result from software flaws.”).

(8)

7

including the very backbone of the Internet – an externality that neither vendors or IoT users necessarily care about, because they do not directly experience the adverse effects of those externalities.18 Second, IoT vendors have no economic incentive to offer security as a feature in their products, primarily because consumers are not showing strong preferences toward security and privacy as higher priorities than lower prices. At the very least, informational gaps between vendors and consumers lead to an uninformed and inefficient choice by consumers.19_{The Senate has recently}

recognized this particular market failure and has proposed IoT industry-focused legislation.20

Ransomware attacks21 are only one example of malicious activity that criminals or nation-states may use against unsecure IoT devices, and reports indicate that ransomware against IoT is already taking place at present.22 Distributed denial-of-service (DDoS)

18_{See Dyn Statement on 10/21/2016 DDoS Attack,}

https://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/ (explaining how an IoT-enabled denial-of-service attack against DNS provider Dyn made it impossible for Internet users on the East Coast to reach various websites). See also Bruce Schneier, Your

WiFi-connected Thermostat Can Take Down the Whole Internet. We Need New

Regulations, WASHINGTON POST (Nov. 3, 2016),

https://www.washingtonpost.com/posteverything/wp/2016/11/03/your-wifi-

connected-thermostat-can-take-down-the-whole-internet-we-need-new-regulations/ (“An additional market failure illustrated by the Dyn attack is that neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don’t care. They wanted a webcam— or thermostat, or refrigerator—with nice features at a good price. Even after they were recruited into this botnet, they still work fine—you can’t even tell they were used in the attack.”).

19_{See R}_ICHARD_S_PINELLO_,_C_YBER_E_THICS_:_M_{ORALITY AND}_L_{AW IN}_C_YBERSPACE

152(2006) (explaining that the loss of privacy is a market failure).

20_{See Senators Mark Warner, Cory Gardner, Ron Wyden, and Steve Daines,}

Internet of Things Cybersecurity Improvement Act of 2017 – Fact Sheet,

https://www.warner.senate.gov/public/_cache/files/8/6/861d66b8-93bf-4c93- 84d0-6bea67235047/8061BCEEBF4300EC702B4E894247D0E0.iot-cybesecurity-improvement-act---fact-sheet.pdf.

21_{See Kim Zetter, What Is Ransomware? A Guide to the Global Cyberattack’s}

Scary Method, WIRED (Apr. 5, 2017), https://www.wired.com/2017/05/hacker-lexicon-guide-ransomware-scary-hack-thats-rise (explaining that ransomware is malware that prevents access to data resident on a target computer by encrypting data files, without the user being able to access them until he or she pays the ransom).

22_{See Dan Bilefsky, Hackers Use New Tactic at Austrian Hotel: Locking the}

(9)

attacks,23_{data breaches, and surveillance}24_{are all possible threats to}

IoT users if its security problem remains unaddressed.25

Recently, Bruce Schneier, leading cybersecurity and cryptography expert, referred to the increasing prevalence of IoT devices as a “World-sized Web,”26 denoting that this ubiquitous network of devices will benefit corporations seeking to maximize profits, open new vulnerabilities27 for criminals to exploit, and aid totalitarian regimes throughout the world. It is almost a cliché in the information security community that IoT devices are very often unsecure and relatively easy to hack28 due to an abundancy of software flaws, unpatched vulnerabilities, and even an inability to “patch” these devices’ flaws once they are discovered.29_{This is}

for the electronic key system was hit with ransomware). See also Nathaniel Mott,

Ransomware Didn’t Lock People in Their Hotel Rooms, TOM’S HARDWARE (Jan. 30, 2017), http://www.tomshardware.com/news/ransomware-didnt-lock-hotel-rooms,33528.html (claiming that the Austrian hotel ransomware was not quite as reported, but a regular ransomware affecting generation of new keys).

23_{See Anonymous, Immunizing the Internet, Or: How I Learned to Stop Worrying}

and Love the Worm, 119(8) HARV.L.REV. 2442, 2444 (2006) (DDoS attacks are “self-propagating worms [who] take control of vulnerable computers . . . the attackers then command the computer to flood the targeted systems with requests for information, preventing legitimate traffic from getting through.”).

24_{See generally Andrew Ferguson, The Internet of Things and the Fourth}

Amendment of Effects, 104 CAL.L.REV. 805 (2016).

25_{See generally Michael Covington & Rush Carskadden, Threat Implications of}

the Internet of Things, 5th INT’L CONF.CY.CONFLICT (2013).

26_{See Bruce Schneier, The Internet of Things Will be the World’s Biggest Robot,}

SCHNEIER ON SECURITY (Feb. 4, 2016), https://www.schneier.com/blog/archives/2016/02/the_internet_of_1.html.

27_{For the purposes of this Article, “vulnerability” is broadly defined as “a set of}

conditions that may compromise the confidentiality, integrity, or availability of an information system. It is often a simple oversight or weakness in a computer’s software that lets the hacker manipulate computer data.” Edward Freeman,

Vulnerability Disclosure: The Strange Case of Bret McDanel, 16 INFORMATION

SYSTEMS SECURITY 127, 127 (2007).

28_{See Bruce Schneier, IoT Teddy Bear Leaked Personal Audio Recordings,}

SCHNEIER ON SECURITY (Mar. 15, 2017), https://www.schneier.com/blog/archives/2017/03/iot_teddy_bear_.html.

29_{Patchability – the ability to release security updates to fix vulnerabilities, is still}

unavailable in many IoT devices, see Bruce Schneier, The Internet of Things is

Wildly Insecure – And Often Unpatchable, WIRED (Jan. 6, 2014),

(10)

https://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-9

largely enabled by market forces, which pressure vendors to create cheaper devices at the cost of disregarding security and privacy.30_In

other words, this reality is enabled by the tech industry’s drive to innovate at an accelerated pace,31 while working under the assumption that embedding cybersecurity could stifle this rapid innovation rate.32

To address the abovementioned market failure, this Article argues that outsourcing some of the vulnerability discovery to third-party actors – security researchers – would bolster IoT security. These researchers essentially employ hacking techniques for the purpose of enhancing security – in other words, they think and act like a hacker for the company in order to ward off future criminal hacking.

Currently, federal law imposes significant limitations on unsolicited hacking for security research through both civil penalties and criminalization of certain hacking activities, leading to fears of legal jeopardy among members of the cybersecurity community.33

things-and-thats-a-huge-problem/ (“[I]t’s often impossible to patch the software or upgrade the components to the latest version.”).

30_{See C}_ONNECTED_W_ORLD_: _E_{XAMINING THE}_I_{NTERNET OF}_T_HINGS_: _H_EARING BEFORE THE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION, UNITED STATES SENATE, ONE HUNDRED FOURTEENTH CONGRESS, FIRST

SESSION, S. Hrg. 114–237, 119 (“The computer chips that power these systems are often cheaply produced, rarely updated or patched, and highly susceptible to hacks . . . . These devices will be cheap, even disposable, and the incentives for the manufacturer to provide regular security updates will be minimal.”).

31_{See Schneier (The Internet of Things Is Wildly Insecure – And Often}

Unpatchable) supra note 29 (giving an example of how some of the tech industry

operates – “The chip manufacturer is busy shipping the next version of the chip, and the ODM is busy upgrading its product to work with this next chip. Maintaining the older chips and products just isn’t a priority. And the software is old, even when the device is new. For example, one survey of common home routers found that the software components were four to five years older than the device”).

32_{See Adam Thierer, Andrea O’Suillivan, Leave the Internet of Things Alone,}

U.S. NEWS (Jun. 12, 2017), https://www.usnews.com/opinion/economic-

intelligence/articles/2017-06-12/dont-stifle-the-internet-of-things-with-regulation (arguing that heavy security intelligence/articles/2017-06-12/dont-stifle-the-internet-of-things-with-regulation on IoT will place an undue burden on the IoT industry).

33_{UC Berkeley School of Information, Cybersecurity Research: Addressing the}

(11)

Exceptions to these legal sanctions, if they exist, are typically very narrow and would still put benign actors under the threat of legal consequences from vendors, thus limiting the amount of overall security research as well as the ability to present such research in an academic setting for further study and development.34

In order to enhance IoT security, the law, as well as the institutions creating, interpreting, and applying the law, should allow hacking for the purpose of security research. Such “benign” hacking would reveal flaws and weaknesses in software that, if exploited by malicious actors, could affect not only individuals’ personal security and privacy but even US national security.35_This

approach will increase the efficiency of vulnerability disclosure and patching because there will be no chilling effect on the activity of revealing software vulnerabilities.36 To be clear, security research is only one part of the overall cybersecurity concoction, which should include, in Lawrence Lessig’s words, an optimal balance between “public law and private fences.”37_{There is a race between}

benevolent and malicious actors in cyberspace, and the argument advanced by this paper seeks to empower actors who wish to improve the overall security and privacy of IoT.

https://www.ischool.berkeley.edu/sites/default/files/cybersec-research-nsf-workshop.pdf.

34_{See Derek Bambauer, Oliver Day, The Hacker’s Aegis, 60 E}_M_._L._R_EV_{. 1051,}

1054 (2011) (arguing that IP laws stifle critical security research and blocks or limits the ability to share information relating to security flaws) (citing Jonathan L. Zittrain, The Generative Internet, 119 HARV.L.REV. 1974 (2006)).

35_{See Melissa Hathaway, Cyber Security: An Economic and National Security}

Crisis, 16 INTELLIGENCER 31 (2008). Also, see U.S. Department of Defense, DOD

Announces Digital Vulnerability Disclosure Policy and “Hack the Army” Kick-off (Nov. 21, 2016),

https://www.defense.gov/News/News-Releases/News- Release-View/Article/1009956/dod-announces-digital-vulnerability-disclosure-policy-and-hack-the-army-kick-off (where then-Secretary of Defense, Ash Carter, underscores that “We want to encourage computer security researchers to help us improve our defenses. This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security.”).

36_{See Malena Carollo, Influencers: Lawsuits to Prevent Reporting Vulnerabilities}

Will Chill Research, CHRISTIAN SCIENCE MONITOR (Sep. 29, 2015) (providing data that 75% of leading experts (referred to as “the Influencers”) believe that lawsuits against vulnerability disclosure in public will have chilling effects on security research).

(12)

11

The underlying hypothesis of this paper is that advancing IoT technologies will transform our lives entirely by becoming a substantial part of our society. The ubiquity of sensors, the physicality of most IoT devices, and the absence of reasonable default security standards could lead to major threats to individual and collective security and privacy. The rapid development of this field has already led to regulatory inefficiency and a serious market failure, enabling vendors to manufacture and sell unsecure IoT devices globally. Providing an incentive for the broader security community to become involved in fixing this ecosystem without fear of legal jeopardy will make individual users safer while also protecting critical infrastructure, such as hospitals, power plants, and the Internet backbone, from IoT externalities.38

This paper will proceed in four parts. In Part I, I will discuss the phenomenon of IoT – “the world of hackable things” – and provide an overview of the market failures at play. These market failures are at the crux of this Article’s argument because they allow threats to individual users and third-parties to flourish as a result of unsecure IoT devices. Part II will be dedicated to introducing the security research environment, in which different types of hackers and motivations are shaping reality. In Part III, I will focus on the legal hurdles impeding “the freedom to hack” – mainly the federal prohibition of circumvention of technological protection measures (TPMs) and criminal liability for unauthorized access to protected computers. Finally, Part IV will propose a concrete framework for creating a normative, technical, and institutional environment in which security researchers can achieve their goal of making software more secure by distinguishing benevolent from malicious actors, strengthening regulatory oversight and enforcement, clarifying statutory boundaries, regulating patchability, creating a consistent procedure for disclosure of vulnerabilities, and tackling security by obscurity.

I. Internet of Hackable Things

38_{See Anonymous, Immunizing the Internet, Or: How I Learned to Stop Worrying}

and Love the Worm, 119(8) HARV.L.REV. 2442, 2443 (2006) (“Not only does current policy create the wrong incentives regarding cybercrime, it does too little to encourage computer hackers and computer users to contribute actively to Intern.”).

(13)

It was probably unimaginable at the conception of the Internet that one day it would be used to connect everyday “things” to it. The development of this phenomenon allowed for machine-to-machine communication, the “communication between . . . entities that do not necessarily need any direct human intervention.”39 Whether through a smart thermostat that learns a user’s temperature-setting patterns,40 a bracelet that tells a user how well she exercises and sleeps,41_{a webcam that can wirelessly transmit photos and videos,}42

a smart toaster offering the perfect toast,43 or a car that has the ability to connect to the Internet and offer navigation services, self-diagnosis tools, and remote control through widely used smartphones,44 such machine-to-machine networks abound.

There is a growing understanding that “things with computers embedded in them” are becoming “computers with things attached to them.”45_{This means that a whole set of legal issues traditionally}

pertaining to computers are transposed into the area of ordinary daily objects, but those ordinary daily objects now have a few extra features that make questions of legality tremendously challenging. For example, previously, if a toaster malfunctioned, it would have been mainly a consumer protection problem, whereas today, it might as well be a telecommunications problem, involving a whole set of

39_{Roberto Minerva, Abyi Biru & Domenico Rotondi, Towards a Definition of the}

Internet of Things (IoT), IEEE INTERNET INITIATIVE, 12 (May 27, 2015), http://iot.ieee.org/images/files/pdf/IEEE_IoT_Towards_Definition_Internet_of_ Things _Revision1_27MAY15.pdf

40_{Nest, Meet the Thermostat, https://nest.com/thermostat/meet-nest-thermostat.} 41_{See Andrew Meola, Wearable Technology and IoT Wearable Devices,}

BUSINESS INSIDER (Dec. 19, 2016), http://www.businessinsider.com/wearable-technology-iot-devices-2016-8.

42_{See Haley Edwards, How Web Cams Helped Bring Down the Internet, Briefly,}

TIME (Oct. 25, 2016), http://time.com/4542600/internet-outage-web-cams-hackers.

43_{Joel Hruska, The Internet of Things Has Officially Peak Stupid, Courtesy of}

This Smart Toaster, EXTREME TECH (Jan. 5, 2017), https://www.extremetech.com/electronics/242169-internet-things-officially-hit-peak-stupid-courtesy-smart-toaster-griffin-technology.

44_{See Thilo Koslowski, Forget the Internet of Things: Here Comes the ‘Internet}

of Cars’, WIRED (Jan. 4, 2013), https://www.wired.com/2013/01/forget-the-internet-of-things-here-comes-the-internet-of-cars.

45_{See Bruce Schneier, Security and the Internet of Things, S}_CHNEIER_O_N

SECURITY (Feb. 1, 2017),

(14)

13

challenges pertaining to privacy and security and, in more extreme circumstances, national security.46

While the general phenomenon of IoT is somewhat intuitive in today’s hyperconnected world, there is no official or widely adopted definition of the technology. One definition is “the ability of everyday objects to connect to the Internet and to send and receive data,”47 a feature that was previously nonexistent in everyday “things.” Another definition provides that IoT is “a network of items—each embedded with sensors—which are connected to the Internet”48_{; another similar definition characterizes IoT as a “system}

where the Internet is connected to the physical world via ubiquitous sensors.”49_{While Internet connectivity is itself quite intuitive, often}

missing in defining IoT is an emphasis on the sensors, actuators, and CPUs, or cloud computers,50 that often comprise the IoT ecosystem. Unlike personal computers (desktop, laptops, smartphones, and the like), IoT devices often lack a user interface, or at least one that allows control over security and privacy features.51 IoT should also be contrasted from popular operating systems, which are supported by large tech companies who constantly offer updates to the software. This largely means that the degree of user control over the configuration of a device is significantly limited and is usually

46_{See Mike Orcutt, Security Experts Warn Congress That Internet of Things}

Could Kill People, M.I.T. TECH. REV. (Dec. 5, 2016), https://www.technologyreview.com/s/603015/security-experts-warn-congress-that-the-internet-of-things-could-kill-people.

47_I_{NTERNET OF}_T_HINGS_–_P_RIVACY_&_S_{ECURITY IN A}_C_ONNECTED_W_ORLD_,_FTC

STAFF REPORT i (Jan. 2015).

48_{See Kathy Pretz, Smart Sensors, T}_HE_I_{NSTITUTE OF} _E_{LECTRICAL AND}

ELECTRONIC ENGINEERS (Mar. 14, 2014), http://theinstitute.ieee.org/technology-topics/internet-of-things/smarter-sensors.

49_{Roberto Minerva, Abyi Biru, and Domenico Rotondi, Towards a Definition of}

the Internet of Things (IoT), IEEEINTERNET INITIATIVE, 10 (May 27, 2015), http://iot.ieee.org/images/files/pdf/IEEE_IoT_Towards_Definition_Internet_of_ Things _Revision1_27MAY15.pdf.

50_{The fact that many IoT devices are supported by cloud computing creates and}

additional risk to privacy, since data stored on the cloud could potentially become the target of a data breach against the cloud itself. See Bambauer, supra note 34, at 1059 (providing an example of cloud weakness that led to a security breach against Twitter).

(15)

controlled by the vendor, if at all. It is expected that the vendor will provide reasonable security already built into the device – “security by design” – but unfortunately, the current state of affairs in IoT has proven otherwise.52

Understanding the physicality of IoT is crucial if we are to create solutions to the wide range of resulting legal challenges. IoT insecurity is not merely a theoretical threat – it is an actual danger to our very homes. Typically, an IoT device is comprised of three components – a sensor, a CPU (or cloud computer), and an actuator.53 While a sensor collects data about its users and environment,54_{the CPU (or “the cloud”) processes that data and}

potentially commands the actuator to take appropriate actions. These two components are essential for controlling the actuator, which is an “output device[] that implement[s] decisions.”55 For example, a sensor could be a thermostat used to monitor the temperature, with a connected CPU tasked with determining whether the air conditioner should be turned on or off, which would be accomplished through the actuator, the actual object that this whole system was built to control. In a way, sensors are the “eyes and ears” of the Internet, and the actuators are “hands and feet.” The CPUs, in this analogy, would be the brain, since they process data and react to it according to certain predetermined software-based rules.56

Since a typical user has little to no control over the security features (and many other features) of their specific device, enhancing the security of the device will necessarily require the user to tinker with the software, which could violate the anti-circumvention rules of the Digital Millennium Copyright Act

52_{See Symantec, An Internet of Things Reference Architecture (2016) (“Most IoT}

devices are “closed.” Customers can’t add security software after devices ship from the factory. Often, such tampering voids the warranty. For such reasons, security has to be built into IoT devices so that they are “secure by design.” In other words, for IoT, security must evolve from security just “bolted onto” existing systems such as servers and personal computer (PC) laptops and desktops. Security must evolve to security that is “built in” to the system before the system leaves the factory.”).

53_{See Schneier, supra note 2.} 54_Id.

55_{See Poudel, supra note 7, at 1003.} 56_{See Schneier, supra note 2.}

(16)

15

(DMCA), unless the user is explicitly exempt from legal liability.57 In addition, security researchers who might want to probe specific IoT devices for vulnerabilities might encounter threats of criminal liability and prosecution if the manner in which they access these devices is unauthorized – which includes virtually any form of hacking.58

Therefore, users often have to rely on vendors’ practices of vulnerability patching and security by design, which do not always exist in a market of accelerated innovation and competition, particularly in cheaper devices.59 In many instances, a vendor’s decision whether to provide vulnerability patches is a question of risk assessment and market forces – and market forces, particularly in the tech industry, do not always work in favor of consumers (if we assume that privacy and security are in the interest of consumers).60 This is perhaps more alarming considering that the

57_{See Aaron Alva, DMCA Security Research Exemption For Consumer Devices,}

Tech@FTC (Federal Trade Commission), https://www.ftc.gov/news- events/blogs/techftc/2016/10/dmca-security-research-exemption-consumer-devices.

58_{See 18 U.S.C. § 1030(a)(2). See also Erin Fleury, Is It Illegal to Test Websites}

For Security Flaws? Heartbleed & The CFAA, MINN.J.L.SCI.&TECH.F. (Dec. 30, 2014), http://editions.lib.umn.edu/mjlst/is-it-illegal-to-test-websites-for-security-flaws-heartbleed-the-cfaa (arguing that the discovery of the OpenSSL Heartbleed security flaw, which allowed intercepting encrypted information, caused systems “to send back far more than what is intended. Of course, the CFAA is meant to target people who use exploits such as this to gain unauthorized access to computer systems, so it would seem that using Heartbleed is clearly within the scope and purpose of the CFAA. The real problem arises, however, for people interested in independently (i.e. without authorization) testing a system to determine if it is still susceptible to Heartbleed or other vulnerabilities”).

59_{See Rapid7’s Comment to NTIA’s call for public comments on “The Benefits,}

Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things”, available at

https://www.ntia.doc.gov/files/ntia/publications/rapid7_comments_to_ntia_iot_r fc_-_jun_2_2016.pdf (“Since IoT devices are highly diversified and include very inexpensive items manufactured by companies with limited security experience, the result can be a considerably more exploitable environment than the status quo.”).

60_{See Keynote Remarks of FTC Commissioner Terrell McSweeny, “Consumer}

Protection in the Age of Connected Everything” 3 (New York Law School, Feb.

3, 2017) available at

https://www.ftc.gov/system/files/documents/public_statements/1070193/mcswe eny_nyls_iot_sympoisum.pdf (“Consumer concern is heightened by business practices that often leave them in the lurch: IoT products may not have patch

(17)

cost of security breaches to users in aggregate is significantly higher than the cost to vendors, which could explain the gap in expectations between vendors and users.61 In other words, “systems are particularly prone to failure[] when the person guarding them is not the person who suffers when they fail.”62

a. The Economics of IoT

Many assume that the market will eventually solve the security and privacy problems of the IoT ecosystem. But this may not be accurate given that these problems are themselves a result of a market failure. The unlikelihood of a market solution is particularly stark when examined in terms of the costs associated with cyber-attacks on IoT, which are often experienced by third parties and are therefore considered externalities.63 Because such externalities involve a wide variety of sectors and actors, with varying degrees of costs and benefits, the prospect of an efficient transaction is unlikely.

When it comes to externalities in software, it is often believed that software vulnerabilities are “inevitable externalities” because flawless software64 does not yet exist. This is further exacerbated by the pressure on vendors by competition to release software to the market as fast as they can.65 While this trend is generally true, it is

support or the same life expectancy as other connected products, and these limitations are not always communicated clearly to consumers… Consumers are repeatedly saying that data security is a top barrier to purchasing connected devices.”).

61_{See Bambauer, supra note 34, at 1059 (“[U]sers face greater harm than vendors}

do, especially overall. While precise figures are difficult to ascertain, reliable estimates of the worldwide economic damage caused by digital attacks in 2003 range from $12.5 billion for worms and viruses, and $226 billion for all attacks, to $157–$192 billion on Windows PCs alone in 2004. Losses to vendors from security breaches, such as from increased support costs, reputational harm, and declines in share price, are also uncertain, but likely considerably smaller. Vendors, therefore, have less incentive to fix bugs than is socially optimal.”)

62_{Anderson & Moore, The Economics of Information Security, 314 S}_CIENCE_610,

610 (2006).

63_{See Schneier, supra note 2.}

64_{See J}_OHN_V_IEGA_,_T_HE_M_YTHS_O_F_S_ECURITY_{142–44 (Mike Loukides ed., 2009).}

See also Jay Pil Choi et al., Network Security: Vulnerabilities and Disclosure Policy, 58 J.INDUS.ECON. 868, 869 (2010).

65_{See Micah Schwalb, Exploit Derivatives & National Security, 9 Y}_ALE_J._L._&

(18)

17

still possible to make software better through constant fixing of vulnerabilities, therefore reaching a socially optimal level of security.

Furthermore, companies who decide to enter the IoT market do not always have the experience needed to implement security features in their devices.66 There is a sizable degree of opportunism when it comes to new players in the IoT industry, making unsecure IoT devices pervasive.

In addition, IoT devices are largely inexpensive and disposable, which precludes most costly security features.67 The literature identifies additional reasons for ubiquitous unsecure IoT devices – lack of experience in data security among vendors, absence of processing power in most IoT devices for “robust security measures such as encryption,” and unforeseen threats,68 given that the attackers are humans who constantly adapt and change their methods.69_{The recurring theme is the inability of vendors to fully}

solve the potential security flaws in IoT devices on their own. At the same time, the users themselves are often unaware of the risks; IoT architecture is often driven by vendors attempting to reduce costs, and the individual consumer is typically interested in a product’s features, rather than its security settings.70_Whereas

computers have been hackable since their conception, the IoT ecosystem increases the stakes to a far greater state of urgency. This is largely enabled by the physicality of IoT, which can cause serious physical harms, and the ubiquitous sensors, which pose a privacy concern to users.71_{This notion is further supported by the}

66_FTC_I_O_T_R_EPORT_{, supra note 6, at 13.} 67_FTC_I_O_T_R_EPORT_{, supra note 6, at 13.}

68_{See Poudel, supra note 7, at 1015 (citing Scott Peppet, Regulating the Internet}

of Things: First Steps Towards Managing Discrimination, Privacy, Security & Consent, 93 TEX.L.REV. 85, 135–36 (2014)).

69_N_IELS_F_ERGUSON_&_B_RUCE_S_CHNEIER_,_P_RACTICAL_C_RYPTOGRAPHY_{5, 11–12}

(2003).

70_{See FTC}_I_O_T_R_EPORT_{, supra note 6, at i–ii.}

71_{See Schneier, supra note 2 (“All computers are hackable. This has as much to}

do with the computer market as it does with the technologies. We prefer our software full of features and inexpensive, at the expense of security and reliability. That your computer can affect the security of Twitter is a market failure. The industry is filled with market failures that, until now, have been largely ignorable.

(19)

unwillingness of certain tech companies to patch their software if it does not yield an effective cost-benefit analysis.72 Furthermore, while security and privacy are certainly important to consumers, it is unclear whether consumers will agree to pay more for a product that is more secure, even if current vendor–user informational gaps are decreased.73 This suggests that even if informing users of the risks is unlikely to solve the problem of unsecure IoT.

The classic solution to externalities resulting from market failures is government intervention in the form of legislation and regulation.74 This Article takes another approach – legislation and regulation of the IoT industry are certainly required, but they could be far more efficient in conjunction with the lifting of burdens constraining security researchers. In other words, the market failure described in this subchapter can be mitigated by security researchers improving software quality through ethical hacking.

b. The Technology of IoT

IoT offers a convenience not previously available in offline objects. First, the user has some remote control over certain features of the device, often from a smartphone or personal computer. She has the ability to customize and monitor the functionality of her appliances, though this is often limited through the user interface provided by the vendor.75 Second, IoT technology equips vendors

As computers continue to permeate our homes, cars, businesses, these market failures will no longer be tolerable. Our only solution will be regulation, and that regulation will be foisted on us by a government desperate to "do something" in the face of disaster.”).

72_{See Andrew Aurenheimer, Forget Disclosure – Hackers Should Keep Security}

Holes to Themselves, WIRED (Nov. 29, 2012),

https://www.wired.com/2012/11/hacking-choice-and-disclosure (“[T]he vendor may decide not to release a patch because a cost/benefit analysis conducted by an in-house MBA determines that it’s cheaper to simply do . . . nothing.”).

73_{See Jay Kesan & Carol Hayes, Bugs in the Market: Creating A Legitimate,}

Transparent, and Vendor-Focused Market for Software Vulnerabilities, 58 ARIZ. L.REV. 753, 781–82 (2016).

74_{See Eli Dourado & Jerry Brito, Is There a Market Failure in Cybersecurity?,}

106 MERCATUS ON POLICY (2012), p. 2.

75_{See Nick Feamster, Who Will Secure the Internet of Things? F}_{REEDOM TO}

TINKER (Jan. 19, 2016), available at https://freedom-to-tinker.com/2016/01/19/who-will-secure-the-internet-of-things (“Manufacturers of consumer products have little interest in releasing software patches and may

(20)

19

with the ability to optimize and improve their products through processing user data generated by the devices. However, this comes at a cost, since consumer data may also be used in negative ways, such as aggressive advertising, sale to third parties, or enhancement of surveillance capabilities.76 Third, IoT technology offers interoperability between devices, which, though it is yet to be fully developed, allows devices to communicate with each other.77 These benefits may sometimes even relate to the health, quality of life, and wellbeing of the user. Insulin pumps and pacemakers are examples of IoT applications in healthcare that revolutionized diagnosis and medical treatment, making these patients’ health much more manageable.78

Cybersecurity risks and threats existed long before the advent of IoT, and the argument made by this Article could apply equally to IoT and non-IoT environments, since software will have flaws regardless of the platform on which it runs. However, the IoT ecosystem creates a serious challenge and shakes up some basic cybersecurity assumptions – it significantly broadens the attack surface that hackers can use, and the level of harm to autonomy is also far greater, thus trivializing hacking in general but also making it more personal.79 This will result in more opportunistic hacking,

even design the device without any interfaces for patching the software in the first place.”).

76_{See generally Andrew Ferguson, The Internet of Things and the Fourth}

Amendment of Effects, 104 CAL.L.REV. 805 (2016).

77_{See Charles McLellan, M2M and the Internet of Things: A Guide, ZDNet (Jan.}

10, 2013), http://www.zdnet.com/article/m2m-and-the-internet-of-things-a-guide.

78_{See FTC}_I_O_T _R_EPORT_{, supra note 6, at 8. (“connected health devices can}

“improve quality of life and safety by providing a richer source of data to the patient’s doctor for diagnosis and treatment[,] . . . improve disease prevention, making the healthcare system more efficient and driving costs down[,] . . . [and] provide an incredible wealth of data, revolutionizing medical research and allowing the medical community to better treat, and ultimately eradicate, diseases.”).

79_{Oliver Tavakoli, The Unintended Attack Surface of the Internet of Things, D}_ARK

READING (Sept. 29, 2015), www.darkreading.com/vulnerabilities---threats/the-unintended-attack-surface-of-the-internet-of-things/a/d-id/1322393 (“[T]he combination of poorly written code and infrequent updates will surely lead to a broader and less manageable attack surface.”). See also FTCIOTREPORT, supra note 6, at 11 (“[A]s consumers install more smart devices in their homes, they may increase the number of vulnerabilities an intruder could use to compromise

(21)

whereby users’ security or privacy may be compromised for potential criminal ends.80

Law and regulation will find it increasingly difficult to address IoT hacking, due to its immense pervasiveness, volume, and trans-border effects and origins. This will leave the most trivial hacking activities unaddressed from a law enforcement perspective.81 The argument in this Article, therefore, proposes enhance security by fixing vulnerabilities through a legal system that legitimizes the activities undertaken by security researchers. These researchers employ hacking and reverse-engineering techniques for the purpose of identifying security flaws and reporting them to the respective vendor and, eventually, the public.

The following sub-sections elaborate on why the IoT ecosystem is particularly challenging in the cybersecurity context – sensors are everywhere, processors are operating physical objects, and the distinctions between software and hardware are eroding. These IoT-specific challenges are creating a particularly vulnerable environment.

1. The Ubiquity of Sensors

The IoT ecosystem is creating a world of ubiquitous sensors.82 These sensors are the eyes and ears of the Internet, collecting data

personal information.”); La Marca & Paez, The Internet of Things: Emerging

Legal Issues for Businesses, 43 N.KY.L.REV. 29, 46 (2016) (“As the number of Internet-connected objects expands, so too does the potential attack surface. The loT faces serious security issues because it is based on interoperability and interdependence: more interactions among devices lead to more areas of vulnerability.”).

80_{Mihai Lazaresu, Hacked by Your Fridge: the Internet of Things Could Spark a}

New Wave of Cyber Attacks, THE CONVERSATION (Oct. 7, 2016), https://theconversation.com/hacked-by-your-fridge-the-internet-of-things-could-spark-a-new-wave-of-cyber-attacks-66493.

81_{Scholars recognize the limits of law enforcement in the world of computer}

crime. See Anonymous, Immunizing the Internet, Or: How I Learned to Stop

Worrying and Love the Worm, 119(8) HARV. L. REV. 2442, 2445 (2006) (“[C]ybercrime cannot be effectively combated solely with traditional law enforcement tools.”).

82_{See Arkady Zaslavsky, Internet of Things and Ubiquitous Sensing, C}_OMPUTER

(Sept. 2013),

https://www.computer.org/web/computingnow/archive/september2013 (“With billions of ICOs [Internet-connected objects] and a diverse abundance of sensors, the IoT will be an enabler of ubiquitous sensing.”).

(22)

21

about the environment and processing and possibly transmitting that data elsewhere.83_{These sensors are working continuously, and they}

are everywhere. IoT devices enable not only data about direct computer use but also data about driving, home heating and cooling, food stored in a refrigerator, pulse and blood pressure, sleep patterns, and much more.

These distributed data can tell a lot about a specific person. The most private and nonintuitive pieces of information about a user are constantly collected by IoT devices and may enable misuse for criminal, business, law enforcement, and other purposes.84 The richness of data within the IoT ecosystem has also led to law enforcement finding this space appealing for surveillance.85

2. Physicality

A significant characteristic of IoT is its physicality. Processors embedded in IoT devices are tasked to operate actual, physical equipment, with tangible consequences in the physical world. Think of a smart thermostat, which learns about the preferences of the user but is also tasked to turn on or off a piece of equipment – the AC or furnace – when certain conditions are met. In this way, the IoT device commands the actuator, meaning that any meddling with IoT could have physical ramifications due to actuators malfunctioning, at times posing danger to physical security. Examples include a

83_{See Hakima Chaouchi & Thomas Bourgeau, Internet of Things: From Real to}

Virtual World, in NAVEEN CHILAMKURTI, SHERALI ZEADALLY, HAKIMA

CHAOUCHI (EDS.), NEXT-GENERATION WIRELESS TECHNOLOGIES: 4G AND

BEYOND 161, 173 (2013) (listing some examples of data collected by sensors – “mechanical data (position, force, pressure), thermal data (temperature, heat flow), electrostatic or magnetic field, radiation intensity (electromagnetic, nuclear), chemical data (humidity, ion, gas concentration), and biological data (toxicity, presence of bio organisms)”).

84_{See Symantec, Internet Security Threat Report Vol. 21, 16 (Apr. 2016),}

https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf.

85_{See Andrew Ferguson, The Internet of Things and the Fourth Amendment}

Effects, 104 CAL.L.REV. 805, 810 (2016) (“The Internet of Things offers new surveillance possibilities that do not involve any physical intrusion into the object. As currently designed, these objects radiate data trails quite useful for law enforcement tracking.”).

(23)

vehicle not responding to its driver’s actions, a disabled insulin pump, and a garage door that won’t open.

In other words, today’s everyday objects are creating telecommunications problems that challenge notions of security and privacy. These challenges are similar whether we talk about healthcare equipment, household objects, or transportation. The effects, however, may be tremendously different – a malfunctioning pacemaker could lead to death, whereas a disabled wearable smartwatch is a matter of inconvenience or, at most, a privacy violation.

3. Software and Hardware Distinction

Although the growing role and share of software in the overall IoT environment cannot be overstated, hardware also poses a host of challenges to the security and privacy associated with IoT.86 For example, researchers at the University of Michigan have recently learned that a CPU manufactured in China had a backdoor built by design into the CPU.87 This enables a small portion of the CPU to be used as an entryway for malware, which can then obtain control over the device. Since IoT devices have CPUs embedded in them, this represents an actual threat to the integrity and resilience of IoT.

From a security and privacy perspective, both the software and the hardware need to be regulated and monitored for potential vulnerabilities that could affect the normal functioning of a device. Regulatory agencies in the U.S. are increasingly focusing their efforts on software, which many believe will be “eating the world” and taking over the digital sphere. But even if this prediction is accurate, hardware may still be designed in a way that allows exploitation, particularly if it is under-regulated due to the appeal of software regulation. Hardware represents an even bigger

86_{See Andy Greenberg, Forget Software – Now Hackers Are Exploiting Physics,}

WIRED (Aug. 31, 2016), https://www.wired.com/2016/08/new-form-hacking-breaks-ideas-computers-work (“The trick works by running a program on the target computer, which repeatedly overwrites a certain row of transistors in its DRAM flash memory, “hammering” it until a rare glitch occurs: Electric charge leaks from the hammered row of transistors into an adjacent row. The leaked charge then causes a certain bit in that adjacent row of the computer's memory to flip from one to zero or vice versa. That bit flip gives you access to a privileged level of the computer's operating system.”).

87_{See Kaiyuan Yang, Matthew Hicks, Qing Dong, Todd Austin, Dennis Sylvester,}

A2: Analog Malicious Hardware, 2016 IEEE SYMPOSIUM ON SECURITY AND

(24)

23

box” problem, since it is extremely time consuming and complicated to determine how a specific computer component works, whereas software is relatively easier to grasp – as security researchers have demonstrated recently. Therefore, the analysis provided by this Article, while focusing mostly on software, could still be applicable to security research into hardware.

c. The Threats of IoT

The characteristics of sensor abundancy and general physicality of IoT lead us to a third attribute, which is particularly alarming. IoT devices are not typically manufactured with robust or even minimal security standards (technical, and possibly mechanical). The IoT market failure results in vendors not implementing security in their IoT devices, mostly due to competition – in other words, in order to reduce manufacturing costs and offer a cheaper product. On the other hand, the average consumer does not typically demand strong security features, most likely due to informational gaps.

This suggests that IoT unsecurity is a global problem, since the same security-lacking devices would be present in the U.S. just as in other parts of the world. Regardless, the U.S. has an important role to play from a legal perspective by setting robust standards and best practices for the rest of the world to follow, including the ethical hacking of IoT devices advanced by this paper. In addition, many IoT vendors are based in the U.S. and so fall under the jurisdiction of U.S. laws and regulations, and so ethical hacking within the U.S. would secure both domestic devices as well as those that are exported to elsewhere in the world.

The IoT revolution comes with a price. While the ability of everyday objects to connect to the Internet offers a broad range of advantages, it also poses a set of specific challenges, stemming from the vulnerabilities that these devices have almost by default. The literature generally identifies three major threats with today’s IoT ecosystem – privacy, individual user security, and third-party security.88

88_{See Sir Mark Walport, The Internet of Things: Making the Most of the Second}

Digital Revolution, UK GOV’T OFF. FOR SCI., 15 no. 3 (Dec. 2014), https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/4 09774/ 14-1230-internet-of-things-review.pdf. Also, see FTCIOTREPORT, supra note 6, p. 10 – (Where the FTC identifies these three threats, providing that

(25)

First, since IoT sensors collect data about their respective users and their environment, unauthorized actors may attempt to access that personal information for a variety of reasons. Having security features within an IoT device could make it much harder for these unauthorized actors to access personal information. However, privacy breaches could then still be committed by vendors and other third parties who seek to monetize the collected data, which could also be labeled as a privacy risk.

Second, malicious actors may try to hack into IoT devices and meddle with the functionality of the device. For example, hackers may decide to shut down a car’s engine,89_{lock a hotel room while}

demanding ransom,90 or disable a pacemaker.91 These are security risks confined to the user.

Third, IoT devices may be used individually (a single IoT device) or collectively (an “army” of compromised IoT devices) to facilitate an attack or breach targeting another computer system.92 In this case, the IoT is used merely as a proxy, which allows the hacker to have more disruptive power (if multiple IoT devices are used for a specific attack) and to mask her or his identity. This is the manifestation of the externalities discussed supra. For example, a hundred thousand compromised IoT devices were used to mount a distributed denial of service (DDoS) attack against Domain Name

unsecure IoT is – “(1) enabling unauthorized access and misuse of personal information, (2) facilitating attacks on other systems, and (3) creating physical safety risks.”)

89_{See Craig Timberg, Hacks on the Highway, W}_ASHINGTON_P_OST_{(July 22, 2015),}

http://www.washingtonpost.com/sf/business/2015/07/22/hacks-on-the-highway.

90_{See Josephine Wolff, The Ransomware Attack That Locked Hotel Guests Out}

of Their Rooms, SLATE (Feb. 1, 2017),

http://www.slate.com/articles/technology/future_tense/2017/02/the_ransomware _attack_that_locked_hotel_guests_out_of_their_rooms.html.

91_{See Morie Moe, Go Ahead, Hackers. Break My Heart, WIRED (Mar. 14, 2016),}

https://www.wired.com/2016/03/go-ahead-hackers-break-heart.

92_{See FTC IoT Report, supra note 6, at 12. (“[A] compromised loT device could}

be used to launch a denial of service attack. Denial of service attacks are more effective the more devices the attacker has under his or her control; as loT devices proliferate, vulnerabilities could enable these attackers to assemble large numbers of devices to use in such attacks. Another possibility is that a connected device could be used to send malicious emails.”).

(26)

25

System (DNS) provider Dyn.93 The Dyn attack made it impossible for Internet users to access websites like Twitter, Netflix, and Reddit.94 This is a security risk against third parties – against the Internet.

1. User Privacy

IoT devices often generate data about the consumer, which raises the risk of these data being compromised. Many consumers would not be able to differentiate between an Internet-connected object and its offline counterpart in terms of the potential privacy implications. Data collected by IoT devices may pose a host of privacy concerns. For example, in the case of an IoT device used to measure blood alcohol – the Breathometer – collected data may impact “employment decisions, criminal liability implications, and health, life, car insurance ramifications.”95_{The data collection,}

retention, and disposal policies of a specific manufacturer are not always communicated to the consumer in a transparent and accessible manner.96 This is of course not unique to the Breathometer, as other IoT devices collect sensitive personal data as well.

These problematic uses of personal information are not the end of the story. Certain devices might require the use of payment methods and passwords, which could be accessed and misused by cyber criminals seeking financial gain.97 If this sensitive information is not properly secured, the number of vulnerabilities and

93_{See Scott Hilton, Dyn Analysis Summary of Friday October 21 Attack,}

VANTAGEPOINT DYN COMPANY NEWS, https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/.

94_{See Schneier, supra note 2.}

95_{See Scott Peppet, Regulating the Internet of Things: First Steps Towards}

Managing Discrimination, Privacy, Security & Conesnt, 93 TEX.L.REV. 85, 90 (2014).

96_{See Peppet, supra note 95, at 90 (“[M]any ‘things’ have little in their external}

form that suggests they are connected to the Internet. When you grab an Internet-connected scarf from the coat rack or sit on an Internet Internet-connected chair, should you have some obvious sign that data will be transmitted or an action triggered?”) (citing ADRIAN MCEWEN &HAKIM CASSIMALLY,DESIGNING THE INTERNET OF

THINGS 294 (2014)).

97_{See Roey Tzezana, Scenarios for Crime and Terrorist Attacks Using The}

(27)

compromises will increase, exposing personal information to malicious actors.

Another major problem that is currently emerging in the privacy law scholarship is sensor fusion98 – when innocuous and seemingly insignificant data collected by an individual IoT sensor could be used to make inferences about the user when paired with data collected from other IoT sensors. Collectively, the data could be used to make near-certain inferences about the user, though the individual pieces of data would have no meaning on their own. This could be used to make powerful inferences about the user. For example, data from a smartphone’s gyroscope could be used to determine the driving habits of a user; when paired with an IoT pacemaker, the combination of these data can yield an inference about the emotional state and mood of the user.99 Scholars identify a long list of inferences that would be possible under the emerging IoT ecosystem of data collection – “a user’s mood; stress levels; personality type; bipolar disorder; demographics (e.g., gender, marital status, job status, age); smoking habits; overall wellbeing; progression of Parkinson’s disease; sleep patterns; happiness; levels of exercise; and types of physical activity or movement.”100

Considering how personal and sensitive some of these data are, IoT devices should allow for stronger security to prevent breaches that could be devastating to users.

Daniel Solove calls this problem “data aggregation” and argues that, “[v]iewed in isolation, each piece of our day-to-day information is not all that telling; viewed in combination, it begins to paint a portrait about our personalities.”101_{The bottom line is that}

malicious actors have many methods of abusing private information

98_{See Peppet, supra note 95, at 118–24 (“Sensor fusion is the combining of sensor}

data from different sources to create a resulting set of information that is better than if the information is used separately.”).

99_{See Poudel, supra note 7, at 1013.} 100_{See Peppet, supra note 7, at 113.}

101_{See Daniel J. Solove, Access and Aggregation: Public Records, Privacy and}

the Constitution, 86 MINN.L.REV. 1137, 1185 (2002) (“Viewed in isolation, each piece of our day-to-day information is not all that telling; viewed in combination, it begins to paint a portrait about our personalities. The aggregation problem arises from the fact that the digital revolution has enabled information to be easily amassed and combined. Even information in public records that is superficial or incomplete can be quite useful in obtaining more data about individuals. Information breeds information.”).

Freedom to Hack

TU Law Digital Commons

Freedom to Hack

F

REEDOM TO

H

ACK

Contents